You
We'll be right back.
We'll be right back.
We'll be right back.
Okay, three people, four people leaving already.
That's good.
Five, six.
This was meant as a general session.
So if you're expecting a hardcore session again, well, you know the drill.
The two people that remain here, I'm going to show you the differences between IP version 4 and IP version 6.
And, of course, what we can do with that from a security point of view.
I'll go to show you the incredible, fantastic security features that are in IP version 6.
And, of course, I'll show to you how unhackable this protocol is.
A couple of new security issues, if there might be any, and the status on the old ones.
That should do the trick.
I'm Brenno de Winter.
I'm 29 years old.
I started programming.
I can't type, I see.
I started programming at something when I was eight years old, I guess.
I was busy with security since I was 15.
Guess what that may be.
And I work for myself.
I hate to gamble.
I do a lot of Linux and Unix.
And, unfortunately, sometimes you have to do Windows.
I'm running Ximion.
So if somebody wants to make comments on that, I did that because it was so incredibly insecure.
I found it really funny.
Is anybody using Ximion here, by the way?
Isn't that cool that you have to install it by opening it with links?
Send it to a root shell, and God knows what happens.
Excellent.
I do a lot on telephony over the internet.
So telephony over IP and voice over IP.
And I write some articles.
Among that for Linux Journal.
Okay, enough about me.
Let's start on IP version 4.
If you don't know IP version 4, he's showing the door already.
Move.
Get a course, but don't bother me with those questions like,
I mean, I expect you to know that a little bit, at least.
Just to refresh your memory,
in 1983 it was introduced as TCP IP,
meant as a war protocol.
So if you want to send data in a war field,
like in China or so,
apparently on this stage it's very popular to say things about China.
You were there this morning, yeah, wasn't it great?
And it was based on OC.
No matter what happens, and that is the thing we should remember,
data should always get from A to B.
Even if a connection fails, there's a different route and you will get there in the end.
That is the story, basically, of IP version 4 on the positive side.
The protocol is extremely simple.
There are some minor issues with IP version 4, and I should have added
ICMP this afternoon, actually.
Sniffing, IP spoofing,
lack of possibilities for authentication,
and denial of service attacks.
We all know them.
And of course, if you go to a new protocol,
the main question is, is this going to change?
Yes, there are things you can do about it,
but it's not like a total solution.
Basically, there is no solution.
If I do telephony, and you see a bunch of colleagues,
of mine standing in line that is basically to show the queuing before a
router to me yeah to make fun of them basically and you can have a phone you
start to dial people and you come up to a router and your call doesn't have any
quality because it's a war protocol it's not meant for telephony over the network
it's meant to send data to send a picture over or something like that so they call
that quality of service and then you can have a seminar about it and earn shed loads of money
basically it's just a poor performance of your network but they demand more fixed
connections and that is typically what IP version 4 is not so they found IP version
6 to address these issues and one of the most important things was the upgrade should be easy
and
people don't understand the internet now and they sure are not going to understand it when
more people are joining more addresses and people always think this is the main reason
why we are going for IP version 6 I mean read an article and everybody's shouting over getting
more addresses but we have all types of lame hacks to make the IP version for work and if
we really want to we could keep that alive if you want to do it is another question
you want to add a couple of special text for streaming data and now some people will think
yeah but that's also available in IP version 4 yeah but it was not implemented in all routers
and it doesn't then work now Cisco promised to do a better job with IP version 6 right
but enter last the last one is the method for mobile devices they want to have mobile devices
have an IP address and if you
take it from that perspective, yes, then you need a couple of extra ones. So they want
to have your cell phone to have an IP address. If they're now secure, then they're definitely
not anymore. So they go to 120-bit addresses, and it looks a little bit funny. I made up
a funny address there as I get it at my own computer, and it doesn't resemble anything.
If you could remember IP addresses, you must be a total geek if you can remember this by
heart. Basically, you represent each time 16-bit, and this makes it very hard to understand.
And guess what? One address won't do the trick. We are getting multiple addresses. So if you
could remember it, this will ensure you can't anymore. You get a unicast, an anycast, a
multicast.
Type address. That means, for instance, if you want to deliver to a single address, I'm
addressing that single address. If I want to address a group, I have a special IP address
to do that, which, of course, makes the life of a programmer easy. You just join a group
in a multicast address, and basically, you get all the IP addresses. Now, there is no
security mechanism that checks.
If you join a multicast group, isn't that nice? For all the hackers out here, sorry,
there won't be any. For all the persons that want to test network security, just join a
group in a multicast session, and that's it. That's all you have to do. And IP version
6 will ensure it gets to your desktop just the way you want it.
A couple of other things is that you can also make a scope for an address. A local
address that will not be rooted at all. A site address that will only be rooted within
a certain site, so you need to make sure it won't reach the Internet. Or a global
address, which can be rooted over the Internet. And this is basically their way of securing
local traffic to remain lively.
local. I call it security by obscurity a little bit, but that is basically the way they do
it. Of course, you keep a lot out, but the moment you have got access to a router and
given the latest exploits on Cisco, they are working very hard to provide you that access.
It's still very easy to sniff a local network. But at least it's a little bit more protected
than it was in IPv4. For compatibility with IPv4, there is basically a trick of having
only the 32 bits of IPv4 address. And you drill that with zeros and 16 ones. So very
easy to recognize and you're totally compatible. That means that you can interface from IPv4
6 workstation with an IPv4 workstation. Basically because it's OSI. They also have got special
addresses for compatibility with, for instance, IPX. If you want to include IPX into IPv6
packets, no problem. Go ahead. And that brings us to the headers. And they look a little
bit funny. The top one is very simple. I've got the
IPv6 workstation. I've got the IPv6 workstation. I've got the IPv6 workstation. I've got
the IPv6 header, some type of an extension header, UDP or TCP, and some data. Very simple,
40 octets, and that is basically the trick. It's the double size of IPv4, but because
of the logic structure, it's sometimes easier to route it and you can reach higher speeds,
especially because you now can make a distinction between sites and global addresses. What is
cool, though, is that you can add as many headers as you want.
And this is the part people testing security should pay attention. If you look over here,
you see an IPv6 header, which can encapsulate IPv6 or IPv4. Or IPv6 can encapsulate IPv6,
can encapsulate IPv4. Plenty of opportunities to do some nice things about it with that.
Also you can have a certain...
Authentication header. IPv6 has the IPv6 security, so-called security mechanism. If
you think that's secure, talk to Bruce Snyer. He's around here somewhere, and you'll find
that it's not that easy. Sorry, not that safe. My English is sometimes... I'm sorry.
A special header is added for routing, so you can learn what route a package takes.
That is an excellent method.
A couple of other things that you can do.
One is to do...
To do man-in-the-middle attacks. If you just check on a couple of those headers,
Thank you very much. I've got all the information I need. And basically, off you go.
Fragment headers are the type of headers that say, like, okay, this is fragment number
one, but some other fragments will follow.
Since you can change the payload somewhat, it is easy to say, okay, there will be an
another package after this and basically add data you want to add and do some
intelligent things and nobody never know what happened they also offer an
encapsulation secure payload header which basically means that they securely
can add a tunneling information again that is based on PKI so it's again easy
to to work around it's also easy to work around because many implementations that
are available currently can you can just remove the header and if there's no
authentication header they think like okay we're not going to authenticate and
that's it a header in general consists of a version of four bits a traffic
class of eight bits a flow label I'll go through each and everyone in a second a
payload length
next
header and the hop limit very interesting is the first one the version
of four bits if I have a four bits header sorry a four bit version field I
can indicate this is an IP version 4 or an IP version 6 packet when it arrives
the the stack will make the distinction what it is and hand it to the right
stack that is basically all it does so you are what they then call backwards
compatible plenty of stuff to play around with traffic class I told you
about this telephony and that you have this poor network quality by setting the
traffic class correctly you can get a priority in a router in a router queue
which is basically a very interesting thing but there's still the risk that
they are not going to implement it also this traffic class is not is not checked
you
in any way that means that any application can set it which also means
that happens with the quality of surface bits sorry the type of surface bits in
IP version 4 already everybody all of a sudden is setting that bit I need
priority for my email and basically you're back to square zero so they yes
you do have a lot of more options and if if everybody is nice that's good but in
general it doesn't bring you total
the total quality of service and still you can denial of service in that way
you still can denial of service in that way any voice call in the next header
you can also add and that is very interesting a couple of settings like
for instance discard this package basically I'm sending data in and you
don't want to know about it
discard the package and sent ICMP parameter problem message to source so
basically I get emotional I'm going to talk about ICMP basically I'm sending a
packet in and the moment it arrives I do nothing with the data so anything can be
in there and can like use and exploit but
necessarily the data is a load but I'm sending an ICMP package Backing the
DS the only thing if Iur certificates that is something that I am sending an ICMP package Backing the
The last one I found very interesting What Data May Change en route.
We're listening to a so I we're listening to an
of new things and so
of some new implementations of ICMP MyT Blend and I know Echo Requestht Reply is
retracing the process of ICT as like anything
so don't start bugging me about that are some new type of errors and one very
interesting one is packet too big
because it's all defined and it shouldn't be possible but the packet too
big is something that I think could be very nice exploit on when you send just
data over and you start sending packet too bigs got God knows what happens it
has not been fully good defined okay package will be smaller but also it's a
very fair chance it will try to make a different route since every router will
add a part to the router header a couple of other things are multicast listeners
for the ones that want to have an multicast address and have them have a
multicast address basically that that means okay I want to join this multicast
network and you will be added there is no checking mechanism you
have a question
systems what operating systems contain a full IPV6 implementation right
very good question and that's why it's one of my next slides new or not
totally new but implemented in IPv6 is the router solicitation okay I'm
new to the network what are my local nearest routers that by the way is so
something that has led to a lot of bugs already in the Linux implementation.
You have this daemon called RedVD daemon,
and basically the first versions were so lame
that sometimes you didn't see a router,
and I had to ping from another machine to my machine
in order to be able to reach that router,
else they didn't see each other.
Those versions are a lot better now,
but you're still depending on correct responses.
That is definitely something that you can easily deny off-surface.
Neighbor solicitations, okay, who is in the room?
I mean, don't start shouting,
but can you imagine if I join this network
and I start like, hi, I'm Breno, who's in the room?
And everybody starts shouting back,
what will happen to your network?
Netbuyers did something similar, didn't it?
And the last one is a redirect message.
Don't use that door, only use that door.
Will it come?
And there we are.
Yes, apparently it will.
Cisco delivers routers with IPv6 since June of this year.
And if Cisco does it, then apparently it will.
Nortel has been doing that for a couple of years now.
There is a backbone in Japan currently running IPv6.
And don't forget the telcos,
and I include Cisco in that.
They will push this ahead since it's a big step for voice-over IP.
Cisco is very aggressive.
One of my customers is Philips in the Netherlands,
and we do voice-over IP,
and apparently Cisco is our major competitor there.
So they have a clear interest,
and we do have a clear interest in pursuing that.
Only from a security point of view,
that's of course a question if you want to do it.
Free software is more,
and more IPv6 enabled.
Linux has had it in all the 2.4 kernels by default already.
A lot of 2.2 kernels have it already.
And there is a lot of software that is already ready for IPv6.
So yes, it will come.
Microsoft slowly starts to support it.
They have had a research facility working on that for, I believe,
more than two years.
But they really didn't want,
to work with that too much yet.
They had some challenges with IPv4, I guess.
But they worked them out,
and now they are really ready for IPv6.
They are now officially supporting it.
Which basically shows that it's a secure protocol,
because else a company like Microsoft wouldn't do this.
But a really comforting thing for me,
is the last one.
Many patches are currently filed.
And that means that people are using it,
finding bugs apparently in the Linux implementations.
And with the new version of the kernel,
sometimes like eight, nine patches follow up,
like three or four days later.
So that indicates that at least some people are working with it,
and are responding to mailing lists.
Now, how did the designers of IPv6 see security in general?
So, request for command 2401 defines general security architecture,
and it speaks of an authentication header or encryption extensions.
That might be any encryption you want to add.
That, of course, is very interesting on its own.
You can make a security association between two sites.
That basically means that we are going to exchange,
between two sites.
That basically means that we are going to exchange information,
and we are going to negotiate on the protocol.
It's like building a trust in Windows NT.
Well, that's a bad example.
We are just going to exchange and to negotiate the protocol.
That's basically it.
It's logic that if we are going to do it,
it's possible that I can have a bunch of people
where I have a security association with.
There are two modes I can work with,
the tunnel mode or the transport mode.
The tunnel mode is the transport mode.
The tunnel mode basically is meant not end-to-end,
but, for instance, I've got an IPv6 connection with you,
and some part of it is IPv4.
Then I can pack IPv4 into IPv6 into IPv4
and still have my IPv6 connection with all my features.
Of course, a weak link then is IPv4.
All right.
Authentication.
Authentication.
Authentication is basically,
basically 32-bit words, so 96-bit authentication
with integrity checking
and authentication of the data origin.
There is an optional anti-replay service.
I wonder who requested that.
And it is mostly based on IPsec, but not totally.
I mean, if you want to run another protocol, it is possible.
By the way, I'm still amazed about this anti-replay service,
because if you make a little patch to the stack,
you can disable that.
So, I mean, if you run Linux and you can code a little bit,
if you can type the pound sign,
then you can change a lot already.
Some new security issues in this also fantastic protocol.
Privacy firewalls.
If I can authenticate everybody that sends data to me,
how are we looking on privacy?
Sorry, privacy you say in America, don't you?
How am I looking at privacy then?
That is currently a big issue.
And, of course, the industry is saying not to worry about that.
We are trustworthy.
Microsoft as number one.
But without joking, that is a serious issue.
If you can't buy something online anymore,
because they do want to check your source address,
because they've got a lame credit card system,
that basically you have to do it.
I mean, or you can't buy anymore.
But it does affect you,
and it makes it somewhat more proprietary.
Apparently, there is a bug in the mobile version of IP version 6.
And I wrote this.
It is so vaguely, because I really tried to find more information on that,
but nobody wants to tell me or talk about it,
or it's not basically a problem.
IEEE doesn't know really what it's all about, etc.
But they are working on the new standard again.
Okay.
IPsec in general, despite the objections from Bruce Snyder,
it doesn't really work, because there isn't an authority.
You can't get handouts keys, yeah, of course, or HillStorm, sure.
In general, there isn't an authority, and who should that be?
Interdict? I don't think so.
The processing demands on these devices are very heavy,
which doesn't really matter for a PC,
but if you want to have it on mobile devices,
and that is one of their aims, it is a big issue.
By the way, I'm also wondering how they're going to solve .NET, then,
because they want to run that on mobile devices as well.
With this new protocol, you run into double exploits.
If I'm tunneling on IP version 4, what does that mean?
Am I now all of a sudden more vulnerable,
or can I make the other side an IP version 4 side,
and don't I...
don't I...
don't I have to do any authentication anymore?
Because it's not in IP version 4?
And don't forget, ICMP has been extended.
So all the people that now turned off ICMP are most likely,
if you're going to use IP version 6, turn it on again.
Ophir will thank people for that.
Some cards on the table on the old issues.
The man-in-the-middle attack.
Well, I have to admit, IP version 6 is really optimized for a man-in-the-middle attack now.
You can do so many nice things within the header to make it to flow your way,
and if you think authentication is going to solve the problem,
no, it's definitely not, because it's just a header sending a signature,
but it's not over...
it's...
the signature is over all the data,
they think, but that's definitely not true.
It's just like, hello, it's me, I'm Brenno, and I'm sending you data.
After that, I can do with the data whatever I want.
And that's always the worst position to be in.
You think you're secure, but you're not.
Have a nice day.
Sniffing, well, Etheroo is already IP version 6 enabled,
so that's no problem.
Spoofing addresses.
I don't see a reason, sincerely, why I shouldn't be able to spoof addresses.
Okay, if you do authentication, it's a little bit harder.
But since there's no key authority, I think that wouldn't be too much of an issue,
even if they use authentication.
I really wonder if they are going to use authentication at all.
And, of course, we have the professional end-to-end screw-ups.
What about .NET?
I do want to talk about it for a couple of seconds.
Don't you just love that?
Forget about the firewall.
Why do we need it?
We have an HTTP tunnel, and that will run our program.
Our program will compile on your computer,
and it will run twice as fast as all of our other Visual Basic applications.
And no matter what security you took with IP version 6,
it doesn't matter a single bit anymore.
Because it will go to the other side, and it will run there.
And you don't even have to worry about the firewall.
Mails with scripts, those type of things, web scripts, they're all still there.
So it's just a new transport mechanism, which does have a lot of advantages,
but from a security point of view, it doesn't even solve it.
As, by the way, Bruce Schneier said earlier this week,
every version of Windows that's released thinks are worse.
I think every version of IP that is released,
you could say the same.
DEF CON will definitely go on if IP version 6 comes there.
So I would like to thank you for your attention.
Thanks that you joined me so right in time.
And I hope to see you next year again.
Are there any questions, by the way?
Yeah.
MALE SPEAKER 2
Yeah.
The sequencing has been changed in IP version 6.
So it is now, if I'm not mistaken,
of course I haven't researched that myself too much,
but if I'm not mistaken, IP version 6 now just sequentially adds numbers.
So, it's like a straight numbering scheme.
In general, TCP itself remains, that remains the same.
Yeah.
I don't think everybody can hear it, so.
What I'm saying is right now, generally with, you know,
I know that packet sequencing in TCP is considered pretty safe at this point,
and I think it'll just continue to be safe, even with IPv6,
as long as people make educated decisions when they're writing applications.
So, I don't think that the network layer really has much to do with that sort of...
Yeah.
Being safe, by the way, is state of mind, so, yeah.
Yeah?
Yeah?
Yeah.
Yeah, that's absolutely true.
Yeah, you tell them now.
It's kind of amusing.
I was at a DEF CON thing two years ago,
and they saw IPv6 maximum packet size is one gigabyte, so have fun.
I would love to see the CRC of that, by the way.
Hey.
When's it going to be widely deployed?
I think it will be pretty soon.
Yes.
Yeah, Microsoft is now formally supporting it.
Cisco is rolling it out in its routers.
I think in a year or two, it will be, like, seriously deployed.
Currently, of course, you have got networks, and go to an IT manager and say,
hey, let's go to IPv6.
You have to have a damn good reason.
At this point, you don't.
But I think that's just a matter of time.
It's really fond of IPv6,
and their government is spending a lot of money on it.
Any other questions?
Okay, thank you all for being here.
Thank you.
